Tuesday, October 3, 2006
The meeting commenced
at 10:00 a.m.
2) Discussion of paper on VVPAT and Paper Based Voting System Requirements
Relating to Usability and Auditability of the Records
3) Other Items
4) Next call Tuesday, October 17, 2006 at 10:30 a.m.
Alicia Clay, Allan Eustis, Anoop Singhal, Barbara Guttman, Bill Burr,
David Wagner, Helen Purcell, John Kelsey, John Wack, Nelson Hastings,
Patrick Gannon, Quin Dang, Rene Peralta, Ron Rivest, Thelma Allen, Wendy
Havens, David Flater
- Allan talked to
Commissioner Davidson yesterday who informed him that Philip Pearce
(Core Requirements Subcommittee) and Tricia Mason (Human Factors Subcommittee)
are confirmed as US Access Board representatives to the TGDC. Paul Miller
(an election official in WA, Core Requirements Subcommittee) will likely
be approved by EAC and NIST soon. David Wagner has bee nominated as
the new representative from ANSI to the TGDC.
- Allan: Observed
WA post election activities. The state is primarily a vote by mail state.
All four voting vendors have presence in the state of WA with DREs to
comply with Section 301 of HAVA. Allan saw 3 of the 4 DREs and 4 counties
certification processes. Trip report forthcoming.
- John W: The official
letter ANSI appointing David Wagner has been sent to EAC.
paper on VVPAT and Paper Based Voting System Requirements Relating to
Usability and Auditability of the Records - John Wack
- This was intended
initially to be a write up to self after reading Election Science Institute's
paper and meeting with authors to discuss problems had by Cuyahoga County
in auditing their VVPAT systems.
- In a written
response, Diebold has challenged a number of things in the ESI report
and so has the Board of Elections in the county.
- It appears as
if the Diebold system was set up to permit rudimentary audits, it didn't
seem to be useful; usability seemed to be the biggest problem.
- A lot of stuff
is not VVPAT specific, more so paper records in general.
- VVPAT defined
as DRE with printer.
- Discussion: Flat
sheets of paper vs. paper spools is a difficult choice. Usability issues
either way. Which is better? Does the Human Factors committee have an
opinion? John's personal experience is that handling the spools is difficult.
Spools do maintain a paper record all in one container, but in a continuous
- Bar code issue
- Discussed with the Open Voting Consortium. They like using them. It
makes the paper record have more integrity. Less resistant to damage.
Used for easy sorting. John feels it's an attack vector. You can't trust
that audits of the bar code will occur. It's another record you have
to keep as well as all the other records. It's not transparent to the
voter. If not carefully controlled, it could be trouble in the future.
[Ron feels that bar codes were used for visibility. It could be used
for accessibility reasons. Also it wouldn't be human readable.] Bar
codes can be used for audio translation of names.
- Do we digitally
sign electronic records? This isn't specific for VVPATs that could be
done on DREs, could be done by ballot marking devices. It means key
pairs on the voting station and how to store them.
- Records more
useful if they were in the interoperable format, we've talked about
EML. David Flater and the Core Requirements may be putting something
- Allan: During
his post certification experience in WA, of the paper, mailed-in, op
scan ballots, bar codes are used as a record keeping mechanism on envelopes
and later auditing processes. Helen uses bar codes to track when the
ballots have gone out, and then again when they've come back to tell
who has voted. The codes are not on actual ballots, so votes can not
be tied to voters.
- Vendor did not
do a good job about documenting how an audit should be conducted or
how the records should be used.
- Issues such as
digital signatures on records could be controversial. We want to keep
in mind what's most important and then what would be nice to have. Will
they be used? What's important to election officials when auditing?
We need to be thinking of future.
- We need to think
through how digital signatures will be used, the key management applications.
Are they the lifetime of the machine? A memory card for the machine?
Per election? What is the signature going to accomplish?
- John K: We need
to write one or two specifications that we know how to test. A little
concerned with open-ended testing process being burdened with analyzing
key management in a crypto protocol.
- One of auditors
issues in Cuyahoga County: trying to figure out which electronic records
came from which machine, comparing what they had to what was still on
the machine. Also memory cards that contained ballot layout information
actually assigned a machine ID that was not the same as the physical
ID. Robust identification would be good. Vendor should contain database
linking serial numbers or identifiers on machine to public keys. Looking
at electronic records, you should know which machine produced them.
- Processes for
audits have not been tried out or well designed. In the standards, we
need to require that someone goes through these audits and make sure
they actually work. All information needed for an audit needs to be
available, it needs to be in a form suitable for an audit, and procedures
need to be tested. This needs to go in document requirements for VVSG
07. Performance benchmarks will have to be done as addendum. [Ron thinks
they are easily doable for 07.]
- Ron: Question
is what records should be maintained by the machine and guaranteeing
that they're available.
- In order to get
certain pieces of information off machines, a technician would have
to be called - this is not a good procedure. Any interaction with the
machine should be well documented.
- John W: Voting
machines should digitally sign their records. For linking the electronic
records with the paper records and verifying their integrity -- always
include the robust machine identifier and include a unique identifier.
We have key pairs on voting systems. We should include this in our requirements.
- John K: If you
are digitally signing electronic records, it does not add any value
to have that signature on the paper records. The paper record is to
mostly check to see if the machine was working properly. There's no
added security by putting digital signature on paper record.
- John W: The reason
we have these sort of requirements is to facilitate audits of this nature.
Is this the minimum for IV systems? Do we want them to have capabilities
for this type of audit, or do we want them to have capabilities for
full recounts? [John K has a write up on a proposal about this. Email
discussion to follow.]
- Ron: If paper
records are suitable for auditing purposes, and the paper records correspond
to the electronic records, why would they not be suitable for recounts?
[John W: Possibility that elections conducted on a bunch of VVPATs with
paper rolls could be suitable for full recount, but we're getting more
into usability issues - more legal issues than technology issues. It's
a design consideration for IVs. John K. The minimal requirement is that
the system is auditable to see if the machine was misbehaving. It would
be nice for records to be suitable for recounting.]
The meeting adjourned
at 11:30 a.m.
to NIST HAVA Page
Last updated: July 25, 2007
Point of Contact
policy / security notice / accessibility statement
NIST is an agency of the U.S. Commerce Department